Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in qrtr_node_enqueue
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:56 [inline]
BUG: KASAN: use-after-free in atomic64_read include/asm-generic/atomic-instrumented.h:837 [inline]
BUG: KASAN: use-after-free in atomic_long_read include/asm-generic/atomic-long.h:29 [inline]
BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0x8e/0x610 kernel/locking/mutex.c:1237
Read of size 8 at addr ffff8880a65abc00 by task kworker/u4:1/21
CPU: 1 PID: 21 Comm: kworker/u4:1 Not tainted 5.9.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: qrtr_ns_handler qrtr_ns_worker
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x198/0x1fd lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
__kasan_report mm/kasan/report.c:513 [inline]
kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
check_memory_region_inline mm/kasan/generic.c:186 [inline]
check_memory_region+0x13d/0x180 mm/kasan/generic.c:192
instrument_atomic_read include/linux/instrumented.h:56 [inline]
atomic64_read include/asm-generic/atomic-instrumented.h:837 [inline]
atomic_long_read include/asm-generic/atomic-long.h:29 [inline]
__mutex_unlock_slowpath+0x8e/0x610 kernel/locking/mutex.c:1237
qrtr_node_enqueue+0x729/0x1240 net/qrtr/qrtr.c:367
qrtr_send_resume_tx net/qrtr/qrtr.c:992 [inline]
qrtr_recvmsg+0x6ad/0x850 net/qrtr/qrtr.c:1043
sock_recvmsg_nosec net/socket.c:885 [inline]
sock_recvmsg net/socket.c:903 [inline]
sock_recvmsg net/socket.c:899 [inline]
kernel_recvmsg+0x110/0x160 net/socket.c:928
qrtr_ns_worker+0x15a/0x14fc net/qrtr/ns.c:624
process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
kthread+0x3b5/0x4a0 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Allocated by task 8062:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
kasan_set_track mm/kasan/common.c:56 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461
kmem_cache_alloc_trace+0x174/0x2c0 mm/slab.c:3550
kmalloc include/linux/slab.h:554 [inline]
kzalloc include/linux/slab.h:666 [inline]
qrtr_endpoint_register+0x81/0x530 net/qrtr/qrtr.c:557
qrtr_tun_open+0x14c/0x1b0 net/qrtr/tun.c:46
misc_open+0x372/0x4a0 drivers/char/misc.c:141
chrdev_open+0x266/0x770 fs/char_dev.c:414
do_dentry_open+0x4b9/0x11b0 fs/open.c:817
do_open fs/namei.c:3251 [inline]
path_openat+0x1b9a/0x2730 fs/namei.c:3368
do_filp_open+0x17e/0x3c0 fs/namei.c:3395
do_sys_openat2+0x16d/0x420 fs/open.c:1168
do_sys_open fs/open.c:1184 [inline]
__do_sys_openat fs/open.c:1200 [inline]
__se_sys_openat fs/open.c:1195 [inline]
__x64_sys_openat+0x13f/0x1f0 fs/open.c:1195
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 8060:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
__kasan_slab_free+0xd8/0x120 mm/kasan/common.c:422
__cache_free mm/slab.c:3418 [inline]
kfree+0x10e/0x2b0 mm/slab.c:3756
__qrtr_node_release+0x2ee/0x3b0 net/qrtr/qrtr.c:189
kref_put_mutex include/linux/kref.h:76 [inline]
qrtr_node_release net/qrtr/qrtr.c:205 [inline]
qrtr_node_release net/qrtr/qrtr.c:201 [inline]
qrtr_endpoint_unregister+0x3a2/0x410 net/qrtr/qrtr.c:615
qrtr_tun_release+0x37/0x60 net/qrtr/tun.c:115
__fput+0x285/0x920 fs/file_table.c:281
task_work_run+0xdd/0x190 kernel/task_work.c:141
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_user_mode_loop kernel/entry/common.c:163 [inline]
exit_to_user_mode_prepare+0x1e1/0x200 kernel/entry/common.c:190
syscall_exit_to_user_mode+0x7e/0x2e0 kernel/entry/common.c:265
entry_SYSCALL_64_after_hwframe+0x44/0xa9
The buggy address belongs to the object at ffff8880a65abc00
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 0 bytes inside of
512-byte region [ffff8880a65abc00, ffff8880a65abe00)
The buggy address belongs to the page:
page:00000000b42fe1d4 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xa65ab
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea0002a5b108 ffffea00029edb88 ffff8880aa040600
raw: 0000000000000000 ffff8880a65ab000 0000000100000004 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a65abb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880a65abb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880a65abc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880a65abc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a65abd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: f4d51dff Linux 5.9-rc4
git tree:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output:
https://syzkaller.appspot.com/x/log.txt?x=11f37335900000
kernel config:
https://syzkaller.appspot.com/x/.config?x=a9075b36a6ae26c9
patch:
https://syzkaller.appspot.com/x/patch.diff?x=15f11bcd900000